Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suppress CVEs #14648

Merged
merged 3 commits into from
Jul 25, 2023
Merged

Suppress CVEs #14648

merged 3 commits into from
Jul 25, 2023

Conversation

AmatyaAvadhanula
Copy link
Contributor

CVE-2023-34462 - (Allows malicious allocation of resources without throttling) Not applicable as the Netty requests in Druid are internal, and not user facing.
CVE-2016-2402 - (Man in the middle with okhttp by sending certificate chains) Not applicable as okhttp requests in Druid are also internal

tejaswini-imply
tejaswini-imply reviewed Jul 25, 2023
View reviewed changes
Copy link
Member

@tejaswini-imply tejaswini-imply left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please add the comments in the PR description to the suppressions file? It would be easier in the future to assess why a CVE was suppressed.

@AmatyaAvadhanula
Copy link
Contributor Author

Thank you @tejaswini-imply for the feedback. I've added the comments in the suppressions file

@AmatyaAvadhanula AmatyaAvadhanula added this to the 27.0 milestone Jul 25, 2023
tejaswini-imply
tejaswini-imply approved these changes Jul 25, 2023
View reviewed changes
Copy link
Member

@tejaswini-imply tejaswini-imply left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@abhishekagarwal87 abhishekagarwal87 merged commit 6566bda into apache:master Jul 25, 2023
14 of 17 checks passed
@AmatyaAvadhanula AmatyaAvadhanula mentioned this pull request Jul 25, 2023
Merged
AmatyaAvadhanula added a commit to AmatyaAvadhanula/druid that referenced this pull request Jul 25, 2023
@AmatyaAvadhanula
Suppress CVEs (apache#14648)
c14d60d 
CVE-2023-34462 - (Allows malicious allocation of resources without throttling) Not applicable as the Netty requests in Druid are internal, and not user facing.
CVE-2016-2402 - (Man in the middle with okhttp by sending certificate chains) Not applicable as okhttp requests in Druid are also internal
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tejaswini-imply tejaswini-imply tejaswini-imply approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
27.0
Development

Successfully merging this pull request may close these issues.
3 participants
@AmatyaAvadhanula @tejaswini-imply @abhishekagarwal87